Computerized method for signing a message

ABSTRACT

A computerized method for signing a message, where a secret key is used for signing and the signature can be tested with the help of a public key, provides for the public key to be a number n that is the product of two large prime numbers p and q; the secret key includes at least one of the two prime numbers; a polynomial is created in the form P(x)=x k  +a k-1  x k-1  + . . . +a 1  x+a 0 , whose coefficients a k-1  . . . a 0  are formed from the message, taking into account a random number. This polynomial is used to derive additional polynomials P(x) mod p and P(x) mod q whose zeros in the respective finite fields GF(p) and GF(q) are defined. The zeros are combined into one or more solutions z of the equation P(x) mod n=0, and the random number and the solution z or selected solutions z are added as the signature to the message.

FIELD OF THE INVENTION

The present invention concerns a process for electronically signing adigitized message, wherein a secret key is used for signing and thesignature can be tested with a public key.

BACKGROUND OF THE INVENTION

The general principle of a signature method is described, for example,in IEEE Transactions on Information Theory, vol. IT-22, November 1976,pages 644 to 654. A concrete embodiment of this principle--also known asthe RSA method--was described for the first time in Communications ofthe ACM, vol. 27, no. 27, February 1978, pages 120 to 126. Using thesecret key, a signature is generated for the data set transmitted,whereupon each individual receiver can then use the public key to testthe authenticity and origin of this signature.

The known RSA method is based on the mathematical problem of factoringsuch numbers, in other words, determining the factors of the numbers.

SUMMARY OF THE INVENTION

The object of this invention is to enable practical implementation ofthe signature and its verification in the simplest possible manner andat a high speed.

This object is achieved according to this invention by

providing a public key as a number n that is the product of two largeprime numbers p and q,

providing a secret key including at least one of the two prime numbers,

forming a polynomial of the form P(x)=x^(k) +a_(k-1) x^(k-1) + . . . +a₁x+a₀ whose coefficients a_(k-1) . . . a₀ are formed from the message bytaking into account a random number,

this polynomial is used to derive additional polynomials P(x) mod p andP(x) mod q whose zeros in the respective finite fields GF(p) and GF(q)are determined,

combining the zeros to form one or more solutions z of the equation P(x)mod n=0 and

adding the random number and the solution z or selected solutions z tothe message as the signature.

In the event no zeros can be found in the respective finite field forone or both of the additional polynomials, a refinement provides for thesteps of creating the polynomial, deriving the additional polynomialsand determining the zeros of the additional polynomials to be repeatedwith another random number if necessary until both of the zeros thusdetermined are in the respective finite field.

A very high degree of security is achieved especially when each of thetwo additional polynomials has at least two different zeros in therespective finite field. For this reason another refinement of themethod according to this invention provides for the creation of thepolynomial, the derivation of the additional polynomials and thedetermination of the zeros of the additional polynomials to be repeatedif necessary with another random number until both additionalpolynomials have at least a given number of zeros in the respectivefinite field.

If the zeros of P(x) mod p are d₁ and d₂ and those of P(x) mod q are e₁and e₂, the signature of the message will include the random number plusthe two numbers α·p·e₁ +β·q·d₁ and α·p·e₂ +β·q·d₂, where α·p+β·q=1 is amultiple sum representation of the number 1 that can be calculated withthe help of an extended Euclidean algorithm.

A method of forming coefficients that is especially advantageous whenthe calculations are repeated with different random numbers is achievedwith another refinement of this invention where the coefficient a₀ isformed by the random number and the other coefficients of the polynomialare derived from the message using certain steps. The other coefficientscan be formed, for example, by the fact that the certain steps includedividing the message into blocks and assigning the blocks to theindividual coefficients.

An advantageous embodiment of the process according to this inventionincludes calculating the solution z from the zeros of the additionalpolynomials by using the extended Euclidean algorithm and the ChineseRemainder theorem.

This method is secure when k≧2. The number n should be as large aspossible for security reasons. A compromise between security andextensive computation that is favorable with regard to the currentrequirements is obtained with log₂ n≈500.

A quick and simple test of the signature created with the methodaccording to this invention is possible by determining whether thenumber P(z) mod n is equal to zero. With several zeros per eachadditional polynomial, the signature can be tested by determiningwhether each of the numbers P(z) mod n is equal to zero.

An advantageous terminal for a telecommunications network includesproviding a program containing the steps necessary for the processaccording to this invention which are executed by a computer.

In one embodiment of the terminal according to this invention, operationin receiving a signed message is facilitated by the fact that a list ofthe public keys belonging to the given senders of messages can bestored.

Another embodiment of the terminal according to this invention makes iteasy to sign a message that is to be sent by providing one or moresecret keys that can be stored and retrieved by entering a password andthen used for a message to be sent.

The method according to this invention may be applied in a variety ofways, for example, to legal and contract texts or any messages inbusiness and official communications that result in legal liability andtherefore must also be signed by hand in conventional writtencommunications. Such text documents can be interpreted as a binarynumber with the value m. The integer n to be used as the public key isthe product of two large prime numbers p and q. At least one of these isknown, but only to the sender.

BRIEF DESCRIPTION OF THE DRAWINGS

The following figures are provided:

FIG. 1 shows a flowchart of the method of the present invention.

DETAILED DESCRIPTION

In a preferred embodiment of this invention, in order to sign a messagem, it is broken down into blocks a_(k-1), . . . , a₁ to the extent thatthe blocks are interpreted as numbers smaller than n. As shown in FIG.1, a random number a₀ is selected at step 102 for signing the message m,and the polynomial P(x)=x^(k) +a_(k-1) x^(k-1) + . . . +a₁ x +a₀ isformed at step 104 and from it are derived the polynomials P(x) mod pand P(x) mod q which are tested for the zeros in the finite fields GF(p)and GF(q) at step 106. For example, this can be accomplished with thehelp of the probabilistic algorithm described by Ben-Or: "Probabilisticalgorithms in finite fields," Proc. IEEE FOCS 1981, pages 394-398. Witha probability of more than 1/2 at least one solution is obtained thatcan be combined, with a probability of more than 1/4, using the ChineseRemainder theorem, to find at least one solution z of the equation P(x)mod n=0, as shown at step 108. The signature of the message m thenincludes the random number a₀ and the number z with the property P(z)mod n=0, as shown at step 110.

To test the signature, the polynomial P(x) is formed in the same way asin signing, although the number a₀ is derived from the signature. Thenthe signature is tested with the number z from the signature todetermine whether the equation P(z) mod n=0 is satisfied. The securityof the process according to this invention is comparable to that of theRSA method. If each of the two additional polynomials has at least twodifferent zeros, the process can be modified so that its security isequivalent to the difficulty of factoring the number n. A person seekingto forge the signature must find a solution to the equation P(x) modn=0, or could also factor the number n with a probabilistic method.

The method according to this invention is described below on the basisof a numerical example, where the numbers selected are small for thesake of simplicity. It is assumed that the two prime numbers are p=1237and q=5683, so the public key is n=7029871.

To sign the message m=12345673891012, the message is divided into twoblocks a₂ =1234567 and a₁ =3891012. Choosing a random number in FIG. 1,yields a₀ =2473865, so the following polynomial can be formed block 104:

    P(x)=x.sup.3 +1234567x.sup.2 +3891012x+2473865,

from which the following two polynomials can be derived:

    P(x) mod p=x.sup.3 +41x.sup.2 +647x+1102

and

    P(x) mod q=x.sup.3 +1356x.sup.2 +3840x+1760

Each of these polynomials has exactly one solution:

    z.sub.p =1057 in GF(p) and z.sub.q =1121 in GF(q).

With the extended Euclidean algorithm, this yields:

    -2683·p+584 ·q=1.

With the help of this representation, a zero z of the equation P(x) modn=0 can be constructed by calculating the number -2683·p·z_(q)+584·q·z_(p) mod n=5519314 with the help of the Chinese Remaindertheorem. The signed message is then:

    (12345673891012, 2473865, 5519314).

The verification of the signature by a receiver is performed afterreconstructing the polynomial P(x) with the help of the first twocomponents of the signed message. For x=5519314 and n=7029871, thispolynomial is then calculated as follows and compared with 0:

    P(5519314) mod n=(5056074+4128968+2400835+2473865) mod n=0.

The above described signature method may be performed by a sendingmicroprocessor of a terminal and the verification by a receivingmicroprocessor of a terminal. In addition, the Chinese remainder theoremcalculations could, be performed not only by the sending microprocessoritself, but also by a special apparatus associated with the sendingmicroprocessor, for example that described in U.S. Pat. No. 4,709,345,which is hereby expressly incorporated by reference herein.Commonly-assinged U.S. Patent application Ser. No. 08/630,701, filed onApr. 12, 1996, is hereby expressly incorporated by reference herein.

What is claimed is:
 1. A method generating a digital signature and usingthe Signature to sign an electronic message, wherein a microprocessoruses a secret key for signing and the signature can be tested by another microprocessor with the help of a public key, the public key beinga number n that is the product of two prime numbers p and q, and thesecret key including at least one of the two prime numbers p and q, themethod comprising the steps of:forming a polynomial of the formP(x)=x^(k) +a_(k-1) x^(k-1) + . . . +a₁ x+a₀, where the coefficientsa_(k-1) . . . a₀ are formed from the message by taking into account arandom number, deriving additional polynomials P(x) mod p and P(x) modq; determining, zeros in respective finite fields GF(p) and GF(q) of theadditional polynomials P(x) mod p and P(x) mod q; finding at least onesolution z of the equation P(x) mod n=0 by using the zeros; and joiningthe random number and the at least one solution z to the message.
 2. Themethod as recited in claim 1 wherein the steps of forming thepolynomial, deriving the additional polynomials and determining thezeros of the additional polynomials are repeated if necessary withanother random number until each additional polynomial has at least onezero in its respective finite field.
 3. The method as recited in claim 1wherein the steps of creating the polynomial, deriving the additionalpolynomials and determining the zeros of the additional polynomials arerepeated if necessary with another random number until both additionalpolynomials have at least a predetermined number of zeros in therespective finite field.
 4. The method as recited in claim 1 wherein thesolution z is calculated from the zeros of the additional polynomials byusing an extended Euclidean algorithm and the Chinese Remainder theorem.5. The method as recited in claim 1 wherein k>2.
 6. The method asrecited in claim 1 wherein log₂ n≈500.
 7. The method as recited in claim1 further comprising the step of verifying the signed message bydetermining whether the at least one solution z satisfies the equationP(z) mod n=0.
 8. The method as recited in claim 1 further comprising thestep of storing a list of public keys in the other microprocessor. 9.The method as recited in claim 1 further comprising the steps of storingat least one secret key in the microprocessor and accessing the secretkey by entering a password.
 10. A method for generating a digitalsignature and using the signature to sign an electronic message, whereina microprocessor uses a secret key for signing and the signature can betested by an other microprocessor with the help of a public key, thepublic key being a number n that is the product of two prime numbers pand q, and the secret key including at least one of the two primenumbers p and q, the method comprising the steps of:forming a polynomialof the forming P(x)=x^(k) +a_(k-1) x^(k-1) + . . . +a₁ x+a₀, where thecoefficients a_(k-1) . . . a₀ are formed from the message and thecoefficient a₀ is a random number, deriving additional polynomials P(x)mod p and P(x) mod q; determining zeros in respective finite fieldsGF(p) and GF(q) of the polynomials P(x) mod p and P(x) mod q; finding atleast one solution z of the equation P(x) mod n=0 by using the zeros;and joining the random number and the at least one solution z to themessage.
 11. The method as recited in claim 10 wherein the message isdivided into blocks forming the individual coefficients a_(k-1) . . .a₁.
 12. The method as recited in claim 10 wherein the steps of formingthe polynomial, deriving the additional polynomials and determining thezeros of the additional polynomials are repeated if necessary withanother random number until each additional polynomial has at least onezero in its respective finite field.
 13. The method as recited in claim10 wherein the steps of creating the polynomial, deriving the additionalpolynomials and determining the zeros of the additional polynomials arerepeated if necessary with another random number until both additionalpolynomials have at least a predetermined number of zeros in therespective finite field.
 14. The method as recited in claim 10 whereinthe solution z is calculated from the zeros of the additionalpolynomials by using an extended Euclidean algorithm and the ChineseRemainder theorem.
 15. The method as recited in claim 10 wherein k≧2.16. The method as recited in claim 10 wherein log₂ n≈500.
 17. The methodas recited in claim 10 further comprising the step of verify in thesigned message by determining whether the at least one solution zsatisfies the equation P(z) mod n=0.
 18. The method as recited in claim10 further comprising the step of storing a list of public keys in theother microprocessor.
 19. The method as recited in claim 10 furthercomprising the steps of storing at least one secret key in themicroprocessor and accessing the secret key by entering a password. 20.The method as recited in claim 1 further comprising the step oftransmitting the message and at least one solution z from themicroprocessor to the other microprocessor.